From 3ef31a0b77133e4c3eacc1c7d46d917746e438d7 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Thu, 15 Oct 2020 13:33:29 +0000 Subject: [PATCH] Bug 26572: (QA follow-up) Escape strings in autocomplete This patch updates the construction of the autocomplete dropdown so that values are escaped. Signed-off-by: Jonathan Druart --- koha-tmpl/intranet-tmpl/prog/js/viewlog.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/js/viewlog.js b/koha-tmpl/intranet-tmpl/prog/js/viewlog.js index ff835f5787..0b867b05bc 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/viewlog.js +++ b/koha-tmpl/intranet-tmpl/prog/js/viewlog.js @@ -159,9 +159,15 @@ $(document).ready(function(){ // Display card number in parentheses if it exists cardnumber = " (" + item.cardnumber + ") "; } + var itemString = "" + (item.surname ? item.surname.escapeHtml() : "") + ", " + (item.firstname ? item.firstname.escapeHtml() : "") + cardnumber.escapeHtml() + " "; + itemString += (item.address ? item.address.escapeHtml() : "") + " " + + (item.city ? item.city.escapeHtml() : "") + " " + + (item.zipcode ? item.zipcode.escapeHtml() : "") + " " + + (item.country ? item.country.escapeHtml() : "") + + ""; return $("
  • ") .data("ui-autocomplete-item", item) - .append("" + item.surname + ", " + item.firstname + cardnumber + " " + item.dateofbirth + " " + item.address + " " + item.city + " " + item.zipcode + " " + item.country + "") + .append(itemString) .appendTo(ul); }; } -- 2.39.5